You must be thinking that I'm kidding. Nope I'm not. Let me explain. After installing Linux the first thing you should do is turn off all services and deny all incoming traffic till you configured the box securely.
But why...? A default installation could run many nonessential services. These services can turn into security risks. Do not create a sense of embarrassment for yourself. It would be a shame if cracker use your server before you or your customer/client The best defense is to turn off all unwanted service, till you apply all patches and setup firewall rules :).
Rule # 1, Stop unwanted services as soon as you boots server For example STOP the inetd or xinetd service:
# /etc/init.d/inetd stop # /etc/init.d/xinetd stop
OR Red Hat Linux user can try service command
# service xinetd stop
Rule # 2, Stop ALL unwanted runlevel services which starts automatically when Linux comes up (boots up) Use tool such as chkconfig under Red Hat / Fedora Linux:
a) List all services
# chkconfig --list | less
b) Remove/Delete service:
# chkconfig --del {service-name}
To disable/remove xinetd at startup use command as follows:
# chkconfig --del xinetd
Tip: You can also use ntsysv menu based utility.
Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:
# update-rc.d -f xinetd remove
You can also manage the removal of unwanted services via /etc/rc?.d symlinks. If you are new use above tools. Also look at the several easy to use utilities that faciliate the managment of system v initialization script in our article Removing Unwanted Startup Debian Files or Services
Step #3, Enable firewall Setup iptables and deny all incoming traffic but allow outgoing traffic (so that you can download all the patches). Here is sample iptables script:
#!/bin/sh # My system IP/set ip address of server SERVER_IP="202.54.1.25" # Flush all rules iptables -F iptables -X # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Allow unlimited traffic on loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow input to only outgoing connection like DNS queries iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # make sure nothing comes in iptables -A INPUT -j DROP
Save the script and execute it.
Step #4, You are done. What next? All the above 3 steps will take less than 5 minutes to create a more secure box. Following are general steps you should perform. Now even if it is going to take 4 hours, you don't have to worry about crackers
- Add all security related patches (use up2date i.e. RHN or apt-get update command)
- Remove unwanted software (rpm -e or apt-get remove command)
- Configure server software such as apahce, ftp, mail services
- Create firewall rules according to your companies security policy
- Create users and groups
- Setup all permission
- Document what has been done and what is running inside the box
- Finally send an email notification to your IT team or customer/client that he/she can use the server.
Please note that OpenBSD and some other Linux distros follows secure by default design. Especially OpenBSD does not runs out of box unneeded services. Linux by default tries to be little bit user friendly and hence many distribution provides maximize out of box services.
No comments:
Post a Comment